Knowledge Search


×
 

How to enable group IKE and group user VPN in GlobalPro such that one IKE gateway will be setup for all the users in the same user group.

  [KB6358] Show Article Properties


Summary:
How to enable group IKE and group user VPN in GlobalPro such that one IKE gateway will be setup for all the users in the same user group.
Symptoms:
Without group IKE enabled, GPro will setup one IKE gateway for each individual user.
Solution:

To enable group IKE in GPro, simply assign an IKE id for the user group of interest and specify a shared-limit for the number of users who can share this group IKE id when connecting to the firewall device. Also, for each user, make sure the individual user IKE ID contains the group IKE id as substring.

For example, if the group IKE ID "netscreen" is specified with a user group named "dialup", which contains user john, tom, and mary, who has the user IKE ID as john@netscreen.comtom@netscreen.com, and mary@netscreen.com, individually. GPro will create the following ScreenOS commands:

set user "netscreen_gu_user" uid 1
set user "netscreen_gu_user" ike-id u-fqdn "netscreen" share-limit 100
set user "netscreen_gu_user" type ike
set user "netscreen_gu_user" "enable"

set user-group "netscreen_gu" id 1
set user-group "netscreen_gu" user "netscreen_gu_user"

That is, GPro will create a special user "GROUP_ID_gu_user" with the configured group IKE id and shared user limit, and then create a special user group (for using with the "set ike gateway" command) named "GROUP_ID_gu" containing the special user. When individual users dial in, they will be matched again the group IKE id and then eventually locate the IKE gateway configured with the special user group.


 


Related Links: